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Abstract — Noninterference provides a control over infor- 
mation flow in a system for ensuring confidentiality and 
integrity properties. In the literature this notion has been 
well studied as transitive noninterference and intransitive 
noninterference. In this paper we define a framework on 
the notion of conditional noninterference, which allows to 
specify information flow policies based on the semantics of 
action channels. Our new policies subsume the policies of 
both transitive and intransitive noninterference, and support 
dynamic requirements such as upgrading and downgrading. 
We also present unwinding relations that are both sound and 
complete for the new policies. 
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I. Introduction 

Information flow security policies are concerned with both 
confidentiality and integrity requirements of a system. The 
seminal work by Goguen and Meseguer introduces a way 
of defining information flow security policies by a set of 
noninterference assertions [[17]. Each assertion specifies that 
a given set of actions are not allowed to interfere with 
a security domain. The follow-up works often interpret a 
noninterference policy as a relation over a set of security 
domains indicating permitted flow of information. If a policy 
relation is transitive, it has a natural correspondence to 
the classical multilevel security policies of Bell and La- 
Padula ||3], m. Therefore, until recently, most work in this 
area defines a policy on how to allow information to flow 
among security domains, instead of how to disallow such 
flow as explored in the original paper 

The transitive noninterference policies are sometimes con- 
sidered as too strong in many situations, because they require 
that information flow is totally blocked from one security 
domain to another at any time. A weakened version of 
noninterference is to allow a policy relation to be intransi- 
tive 1(321, 131], ED, |[38l. This makes it possible to specify 
a more flexible flow policy. For example, one may define a 
pohcy -wC [A, B, C} x {A, B, C} for a system with three 
security domains, such that domain A is allowed to send 
information to domain B hy A B (i.e., {A, B) e~^), and 
that domain B is allowed to send information to domain 
C by _B C (i.e., [B, C) G^). However, domain A is 
not allowed to directly send information to C if (A, C) 
is not in the policy relation ~->. In this case B may be 
regarded as a channel that controls information flowing from 



A to C, which is not expressible by the original (transitive) 
noninterference policies [32J. The notions of transitive and 
intransitive noninterference have been applied in different ar- 
eas such as operating system verification fT9l, f2&|, security 
protocol verification HI, IfTSl . and programming language 
analysis ||33l. Il34l. 

However, it is also in the paper of Goguen and 
Meseguer ifTTl that another weakened form called condi- 
tional noninterference was proposed. Conditional nonin- 
terference associates each noninterference assertion with a 
constraint, in the way of A u such that the noninter- 
ference assertion takes effect (i.e., A becomes invisible to 
u, as for confidentiality, or A is not allowed to change u, as 
for integrity) whenever the constraint is satisfied. In other 
words, A M is conditional to 0. Although this notion is 
not followed in subsequent works in the information flow 
literature (to our knowledge), it proposes an insight that it 
is also viable to place a control before information flow 
is allowed to happen. Note that intransitive noninterference 
only specifies how to allow information propagation after an 
action of intended flow occurs. 

In this paper, we present a policy framework for condi- 
tional noninterference to incorporate both intransitive nonin- 
terference lISTl and the notion of the same name as presented 
by Goguen and Meseguer {YT\. (We overload this term 
because we believe it carries the appropriate meaning.) We 
are going to show that the noninterference assertions with 
the additional conditions can be used to express not only 
the channel control policies, but also some other useful 
security requirements, including a certain class of policies 
for dynamic control. From the perspective of channel con- 
trol, our framework turns out more general than intransitive 
noninterference in different ways. 

Unwinding theorems fTSl, f32l, ["421 are useful techniques 
to verify noninterference-based properties. Given a set of 
noninterference constraints, it is possible to define a set of 
unwinding relations for each user (or security domain), so 
that if the relations satisfy a number of constraints, then 
it is sufficient to say that a system is secure. Unwinding 
is a very desirable technique since it reduces verification 
of noninterference properties into conditions that are easily 
provable by existing tools, with available examples applying 
theorem provers PVS |10| and Isabefle/HOL |42|. The un- 
winding theorem for deterministic state based systems is also 



complete if the underlying security policy on interference 
(i.e., the induced binary relation on the set of users) is 
transitive |32|. However, the (weak) unwinding relations 
in the literature ll32l . ||42]| are not necessary conditions for 
intransitive noninterference even if the system is determin- 
istic. In fact, the weak unwinding relation for intransitive 
noninterference rather corresponds more or less to a notion 
that is strictly stronger than the intransitive noninterference 
properties 1.38 1. In this paper, we define unwinding rela- 
tions for more general classes of noninterference properties 
which subsume intransitive noninterference. Nevertheless, 
we prove that the existence of such unwinding relations are 
both sound and complete for a system to be secure with 
respect to the properties defined in this paper 

The main contributions of this paper are as follows. (1) 
We apply conditional noninterference to express a variety 
of security requirements, such as upgrading, downgrading, 
and channel control. (2) We identify two subclasses of 
conditional noninterference properties, and for each sub- 
class we design a new unwinding technique which is both 
sound and complete to the properties in this class in a 
very general way. (3) As a byproduct, we show that a 
subclass of our properties can be reduced to safety properties 
by a doubling construction. The outline of the paper is 
as follows. In Sect. |ll] we define the system model and 
rephrase the classical noninterference definition. Sect. Hn] 
presents conditional noninterference and shows how it can 
be used to express many interesting security requirements. In 
Sect. |IV]we define unwinding techniques to characterize the 
conditional noninterference properties, and for a particular 
class of policies, we reduce their verification problems to 
safety properties. Sect. |V] discusses related work. Sect. |VT] 
concludes the paper and suggests possible future research 
directions. 

II. Noninterference 

We define a state machine model similar to those that one 
can find in the literature ITtII . Il32l . We assume a (finite) set 
of users (or security domains) U, a set of actions A, and a 
function dom : U that maps each action to a user who 
performs it. In our model, each action is associated with a 
unique security domain, since in practice if there is an action 
that is available to more than one users, we add distinct user- 
names as subscripts to produce different actions. The tuple 
{A^ U, dom) is called a signature, based on which we write 
Au as the set {a G ^ | dom{a) = u) for u ^ U. We write 
a, b, ai, . . . to range over A. 

A machine for a given signature {A, U, dom) is a tuple 
of the form AI — {S, sq, step, obs, O) where 

• 5* is a set of states, 

» Sq ^ S the initial state, 

• step : S y. A ^ S the transition function, 

> obs : U X S ^ O the observation function, 

• O is a set of outputs. 



The function step describes the system transition, such that 
step{s,a) is the unique next state when action a is applied 
on state s. The function obs gives an observation made in 
each state by a user For readability, we 'curry' the function 
obs by obsu of type S O given u G U. Note that such a 
machine is always input enabled by the definition of function 
step, so that every input action is enabled on every state. 
Also, a machine is always deterministic in the sense that 
given a state s and sequence of actions a € A*, a run 
of state sequence can be uniquely determined. To denote 
the final state after the execution of a sequence of actions, 
define the operation • : S x A* ^ S, hy s • e = s, and 
s • (a ■ a) = step{s • a, a) for s E S, a Cz A and a G A*. 
We assume every state in a machine is reachable. 

In this model we define observation on states, which 
is different from the definitions of Rushby ll32l where 
observations are associated with actions. This distinction 
is not essential for many security notions [39J, including 
noninterference. In literature the state-observed machines 
have also been used by a number of authors, such as Goguen 
and Meseguer [171 and Bevier and Young [5j. Our choice 
on modelling of a machine is arbitrary. 

The security policy we are to define assumes a partition 
on the set of actions. Given a signature {A, U, dom), define 
a partition Part over A satisfying the following conditions. 

1) For all P e Part, there exists u £ U such that 
P^Au, 

2) U Part = A, 

3) Pi n P2 = for all distinct Pi, F2 € Part. 

We define a function part : A — > Part that assigns each 
action a unique partition. Obviously part refines dom. 

A noninterference assertion T is of the form (P u) for 
u E U and P G Part, referring to a security requirement 
that an action partition P is not allowed to interfere with a 
user uQ (With respect to integrity, this assertion could also 
be interpreted as that actions in P are not allowed to 'touch' 
u, where u may represent a real entity, e.g., a device or a 
file rather than a user.) In this case we say T controls P and 
is associated with u. This definition is intuitively finer than 
what is presented by Rushby lf32l who defines interference 
(the complement of noninterference) as a relation over the 
set of users. We choose this structure for noninterference 
assertions not only because it is seemingly finer and more 
general, but also it seems more reasonable. When noninter- 
ference is used to express complex security conditions, this 
structure sometimes provides a more reasonable control. For 
example, a user in charge of downgrading can avoid unnec- 
essary downgrading of information by choosing actions not 

*A similar form can be found in fVj\ where u\B -/^ v is used to denote 
tliat u is not allowed to interfere with v via the actions in B. We simplified 
the presentation by exphcitly defining action partitions to be associated with 
unique security domains. 



in the partition of downgrading actions0 A noninterference 
security policy is a set of noninterference assertions, for 
which we use symbols such as 11,11'. 

Given a security policy 11 and an action sequence a E 
A* a function purge^i : A* x U A* is introduced (as 
in ifTTI ) to clear away from a the actions that are not allowed 
to interfere with a security domain u, which is inductively 
defined by purgeii{e,u) = e, and 



purgeYi{a-a, u) 



a ■ purgeYi{a, u) 



if part (a) ■/-> u 
otherwise. 



A system satisfies noninterference, if for a\\ u E U and 
a e A*, obsu{so • a) — obsu{sQ • purgeYi{Q:,u)). Plainly, 
this requires that removing all the actions not allowed 
to interfere with a user is not noticeable by that user, 
since it gives the same view to that user as the action 
sequence in which no actions are removed. From the set 
of noninterference assertions 11, a relation -wC U x U of 
interference is uniquely determined. Write u v if there 
exists a nonempty set of actions B C Au such that for 
all noninterference assertions in the form of (P v), we 
have P D B = We say that the noninterference policy is 
transitive if the induced relation is transitive on U. 

Most of the policies studied in literature are transitive. 
For example, MultiLevel Security of Bell and LaPadula |I3] 
defines a partial order of security domainsll Later Denning 
introduced a lattice structure of security classes to reason 
about information flow |12|. Noninterference can be used 
to analyze transitive information flow policies, but it is 
not necessarily transitive by nature. To be explicit, the 
relation ~~> induced by a policy 11 is not inherently transitive 
according to the definition of function purge. We sketch it 
in the following example. 
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Figure 1. The machine of example [T] where a state s is labelled 
{obsv{s), obsw{s)), and we omit the self-transitions by aw 



~As in the case of a channel control policy 1211 . 1321 where u v 
and V w, it seems more realistic to let only a subset of Av act as a 
channel passing information from u to w. This may also be partially used 
to defend criticisms against the purge-based channel control policies such 
as those from Roscoe and Goldsmith |31|. 

^More precisely, it is defined as a combination of a totally ordered set 
of security labels C such as top secret (TS), secret (S), confidential (C), 
unclassified (U), where TS > S > C > U and a set of categories C, 
such as Navy, Army and Air Force, which are pairwise incomparable, so 
that (/i,ci) < {l2,C2) with li,l2 G C and ci,C2 G C iff h < I2 and 
ci = C2. 



Example 1: Let U — {u, v, w}, and a flow policy satisfying 
u V and v w, i.e., the set of noninterference assertions 
is n = {{Ay 7A u), (An, -H v), {An, -h u), {Au -H w)}, 
where Au — {fln}, Au — {a,u} and Aw = Let 
S = {0,1} X {0,1} with so = (0,0), ohsu{{x,y)) = 0, 
o6s^((a;, y)) ~ x and o&s^((a;, j/)) — y for all x,y G {0, 1}. 
The transition function is defined as step{s, au,) = s for 
all s, step{{x , y) , au) — {x®l,y) and step{{x,y),au) = 
{x, y <E)1) for all x,y E {0, 1}, where ^ denotes 'exclusive 
or' . The machine is depicted in Fig. [T] 

One may observe that u determines v's observation and 
V determines w's observation in every state. Every non- 
interference assertion can be verified via the purge func- 
tion. For instance for the assertion {Au ~h '^)^ we have 
o6sto(so • a) — obsui{so ■ purgeYiia,w)) for all a € A*. 
Note that the relation ^ is not transitive, since {u, w) 
although we have u v and v w. □ 

We claim that Goguen and Meseguer's noninterference 
policy is not necessarily transitive, and moreover, it can 
be used to encode security properties stronger than those 
that are known as intransitive noninterference or channel 
control policies II2TI . lf32l . In the above example v can 
pass information from u to w only after he indeed receives 
and knows the information. Furthermore, v is allowed to 
intentionally block information from u to w, although infor- 
mation is free to flow from m to w and from v to w. This 
example provides a view on the notion of noninterference 
of Goguen and Meseguer that it also gives a channel-like 
control which works differently from that of intransitive 
noninterference. Note that in intransitive noninterference 
policies, it is possible that a channel is allowed to forward 
information without knowing what is being forwarded lf38ll . 

III. Conditional Noninterference 

Conditional noninterference was introduced to support 
dynamic policies 1 17|, where the conditions were predicates 
on a sequences of actions before reaching a state. In this 
section the notion is extended also to the other direction 
(similar to intransitive noninterference), so that conditional 
noninterference decides whether an action is allowed to 
interfere with a user given a path of actions leading to the 
current system state as well as the possible future actions to 
be performed. 

We define conditional noninterference assertion to be of 
the form {P -/^ u where the condition (p is a function 
of type A* xAxA* — > {true, false}. Given a sequence of 
actions a E A*, a single action a E A, and another sequence 
of actions a' e A* to be executed in the future, <j>{a, a, a') 
answers whether the current action a is allowed to interfere 
with user u, i.e., whether it needs to be 'purged'. The 
sequence a can be understood as the pre-conditional part of 
the whole sequence a -a- a' for cj), so that a decision is made 
based on history. The sequence a' represents the actions yet 
to be performed. This part enables us to define a poHcy 



that permits information flow only after it is checked by 
other users, which has been akeady explored in the form of 
intransitive noninterference or channel control policies II2TI . 
Il32l . We regard a' as the post-conditional part of a • a • a' 
for (p on action a. If cj) is always evaluated true in assertion 
T — {P ■/+ u then T is a strict assertion, and it is 
equivalent to what is defined in the previous section. To 
this point we revise the notion of security policy to be a 
set of conditional noninterference assertions. We have the 
following definition for the new purge function. 
Definition 1: Given a policy 11, the function purgeii : 
A* X U ^ A* is defined as for all a ^ A* in the form 
of aia2 ■ ■ ■ dn, purgejj^a, u) — a'^a'j . . . a'j, such that for 
every i G {1, . . . , n}, 

{e if there exists {part{ai) w [0]} G 11 
and (l){a-i,ai,a+i), 
tti otherwise. 

where a_i = ai . . . a,;_i, a+i = a^+i . . . a„, and e denotes 
the empty sequence of actions. 

A system is secure with respect to a policy 11, if for all 
u gU and a £ A*, obsu{so»a) = obsu{sa»purgeYi{a,u)). 
This requires that every user u G U is unable to distinguish 
trace a and purgeYi{a,u) by his observations. 

In the rest of the section, we restrict our attention to 
two subclasses of conditional noninterference assertions. For 
each class of assertions, we define its corresponding purge 
functions. We will also show how these assertions can be 
applied to express a few existing policies of interest. 

A. Pre- and Post-Conditional Assertions 

We define two subclasses of conditional assertions. A pre- 
conditional assertion provides a control when a decision on 
permitted information flow needs to be made ahead of time. 
For example, in a system with discretionary access control, if 
a user wishes to receive information from a different user, he 
may simply create a file which he can read, and delegate the 
'write' access of this file to that particular user. He may also 
revoke this access in the future. A post-conditional assertion 
controls flow of information after an action with intended 
flow is performed. An example for this policy is that a secret 
message must be followed by an encrypting action before it 
is allowed to be sent out. Note that in many circumstances, 
such decisions on permissions of information passage can 
only be made by a super-user or an administrator 

We start with a simple language $^ for expressing the 
pre-conditional and post-conditional assertions as shown in 
Fig. 12] The superscripts 'pre' and 'posf denote whether a 
constraint is defined in a pre-conditional or post-conditional 
assertion, and the arrows and '\' denote upgrading 
channels and downgrading channels, respectively. A post- 
conditional assertion only asserts a condition under which 
an already-taken action is allowed to produce effect. For 
example, the assertion {P -/^ u n-Pi^2]\^^l) disallows 
partition P to interfere with u unless it is immediately 



:= [Ci U C2 U ■ • • U C^r}' I [Ci U C2 U • ■ • U C„]^^ 

fpost [Ci UC2 U • • • U Cn]T' 
C:^ C \ CO \C C \C C<} C:=P\PUC 
C:^ C\()C\CC\OCC P := Pi I P2 I . . . I 
where Pi e Part for 1 < i < n for some n 

Figure 2. syntax of the constraints in <1?~ 

preceded by an action in Pi followed by an action in P2, 
and the assertion {P -/^ u |[0(-Pi UF2)]^^*1) allows actions 
from P to be detectable by u only if somewhere in the future 
an action in Pi U P2 is performed. In this case, the symbol 
'0' resembles its usage in temporal logics, in the sense that 
the actions in the next partition (or union of partitions) are 
not necessarily to happen immediately after, but within a 
finite distance in the action sequence. We define the post- 
conditional assertions in the way of controlled release of 
information, and such release is regarded as irreversible^ 

For the semantics of "I>^, every channel inside an assertion 
is interpreted as a regular expression. Let |.] be a function 

from $^ to regular expressions. For a channel constraint 

■(— — > 

Ci— W1W2 ■ ■ -Wn (or Ci for the post-conditional case) 

<— 

where Wi G {()}iJV{A), define |C,;] as the regular language 
represented by . . . W,', where = ^* if = 

and Wl = Wi otherwise. Given =Ci U C2 U . . . C„, 

we have |01 = ICi] U ^2} U . . . [C*™], i.e., the union of 
the languages of all the channels. The semantics for post- 
conditional constraints are defined in a similar way. Given 
an assertion {P -/^ u a, a' G A* and a e A, 

- if (/) is in the form of [0']^'^, then (t){a,a,a') — true 
iff a G A*l(t>'l 

- if (/) is in the form of [0']!^'^, then (j>{a, a, a') = false 
iff a G A*lct>'l 

- if is in the form of [^'J^^^'**, then (l>{a, a, a') — false 
iff a' G WjA*. 

Note that the formal interpretation over the upgrading 
channels and downgrading channels are different. For an 
upgrading assertion {P u if a pre-conditional 

sequence a matches the pattern, i.e., a G ^*|(/)], the fol- 
lowing action (if in P) must be purged. However in the case 
of downgrading that action must not be purged. The post- 
conditional assertions only act as downgrading channels. 

The usage of the terms 'upgrading' and 'downgrading' are 
intuitive for both confidentiality and integrity specifications. 
An upgrading assertion (P -/^ u allows actions in 

P to interfere with u (for confidentiality) or u is changeable 

''On the other hand, pre-conditional assertions are allowed to revoke a 
"permission" to cause flow as long as the actions under control are not yet 
performed. 



by P (for integrity) as default, until a pattern in |(/)] occurs, 
after which the policy becomes more strict. An interpretation 
for downgrading assertions could be made in a similar 
way. Plainly, every conditional assertion is weaker than its 
corresponding strict assertion that is generated by removing 
its conditional part. 

B. Examples 

We sketch two examples to show that conditional policies 
can be used to express several useful security requirements 
related to information flow. 

Example 2: (book-keeping) We present a simple example 
of well-formed transactions to ensure data integrity by Clark 
and Wilson f9l. Assume there is a company with a number 
of employees. A shared data-base B is in the company's 
IntraNet from which every user is allowed to retrieve in- 
formation. A user can modify B, but this is only allowed 
immediately after he has registered (or authenticated) him- 
self into the system. This is a basic integrity requirement. 

Database B is modelled as a user with no actions, and its 
observation on the system is just its contents. For a user E, 
his action set Ae can be partitioned into the set of reading 
operations A^^, the set of writing operations A^ and the 
book-keeping action {a^}. The information flow constraints 
with respect to the security requirement thus can be stated 
as follows for each user E. 

(1) i?'s reading actions are not allowed to change B, which 
is the assertion 

{Al /> B) 

(2) £"s writing actions are allowed to modify B only if that 
action occurs immediately after a book-keeping action. An 
assertion for this rule is 

{Al^M{[{a'i]r^^) 

(3) Finally, the action also needs to be constrained. If it 
is not immediately followed by a write operation, it should 
not affect any part of the database. So we have 

({at} /> B {[AWt^'fi 

□ 

The above example illustrates how actions need to be bun- 
dled together in order to become a well-formed transaction. 
The book-keeping operation serves as a downgrading action 
on the integrity level of B, after which the employee E 
is allowed to modify B. The next example presents an 
upgrading policy. 

Example 3: (conflict of interest) In a small town two sales 
companies u and v, which compete with each other, are 
seeking helps on their business strategies. There is only one 
consulting company available in that town. If both u and v 
connect themselves to the consulting company, it raises the 
requirement that for each individual consultant c, once he 
contacts one company of u and v, he will not be allowed 



to consult the other, so that he cannot play two-sides. This 
requirement resembles the Chinese Wall security policy fT\ 
We regard both u and v as users with action sets Au and 
Av For each consultant c, we assume the set of actions he 
can do is fixed as Ac, which can further be split into disjoint 
sets A^ and which are supposed to be used to exchange 
messages with u and v, respectively. 

(1) Initially, it is required that the companies u and v are 
not allowed to leak information to each other, which can be 
sketched as 

{An 7^ v) and {Av u). 

(2) The actions for c to communicate with u are not 
supposed to have any effect on v, so that v's view over the 
system should not be changed by actions in Similarly, 
A^c is not allowed to alter u's view. Therefore we have the 
following assertions. 

(A" 7^ v) and {Al u). 

(3) Once c starts consulting u (or tries to access u), he 
should be immediately disallowed to communicate with v. 
This is defined over the action partition A^ to company v. 
For the effect from partition A^^ on company u, we define 
the same assertion. 

u {{AlOry}) and {Al /> v [[^«o]^;i) 

(4) However, it is also possible that c listens to u before 
he starts to communictate with v, so that he can pass 
information from u to v in an undesired way. Therefore 
we disallow actions by u to reveal information to c before 
c shows his intention to consult u. This can be sketched by 
the following assertions. 

{Au -h c {[A:0Y^^) and (A 7^ c n^^Ol^l) 

In this example the actions in A^ upgrade the information 
flow policy on to v, i.e., once an action in is 
performed, the policy becomes more strict on the actions in 
and vice versa. A reasonable consequence of this policy 
is that once a consultant tries to communicate with both 
companies, he will be forbidden to consult both companies 
thereafter □ 

Chinese Wall policy is concerned with the information flow among 
all the consultants and consulting companies. It has two basic rules: (1) 
Each consultant is allowed to access at most one company's files in each 
conflict of interest class, which is known as simple security property. (2) 
Each consultant can write to a company's files only if he has never accessed 
any other company's file, which is known as ^t-property. Here we focus on 
how to prevent information flow between the companies with respect to 
a particular consultant. We do not prevent an individual consultant from 
reading one company's file after he has read the other's, as long as this 
action does not cause information flow between the two companies, in 
which sense our policy is weaker than the Chinese Wall policy. 



C. More on P re-Conditional Assertions 

The conditional noninterference assertions based on the 
constraints defined by $^ in Fig. |2]are easy to understand 
and use, but it might not be general enough to catch more 
complicated security requirements. For example, it is not 
possible to have an assertion by $~ to allow an action to 
act as both downgrading and upgrading in the way of a 
power switch. In this section, for pre-conditional assertions, 
we define a more general policy language to achieve better 
expressiveness. The policy language $ is defined as regular 
expressions on Part. 

<^:=0|P|0U0|(/.-0|(/.* 

where P G Part. 

We use A\P to denote U{-P' G Part | P' ^ P}. A pre- 
conditional noninterference assertion is thus in the form of 
(P w {cfyP''"}), where P e Part, u £ and e The 
function (jiP^'^ : A* x. Ax A* ^ {true, false} is defined as 
(j)P^'^{a,a,a') — true iff a G L{(j)). When it is applied to 
purge an action sequence, the constraint f/)'"''^ removes every 
action a in partition P from a ■ a ■ a', whenever a is in the 
regular language expressed by (p in the pre-conditional 
assertion {P u l^^'^'^l). In particular, the constraint 
does not purge any actions, and A* purges everything, if 
they appear within an assertion. 

Given a user u ^ U, we define a partial order relation 
<u on the set of conditional assertions associated with u. 
Say an action sequence 0102 . . . a„ is contained in another 
sequence a if there exists ao,tti,---an £ A* such that 
af) ■ ai ■ ai ■ a2 ■ 012 ■ ■ ■ a-n ■ OLn = ck. Let Ti and T2 be two 
assertions associated with u, Ti <„ T2 if purge^rp^y{a,u) 
is contained in purge^rp^y{a,u) for all a G A*. Intuitively, 
this means assertion T2 is stronger than assertion Ti, i.e., 
the language accepted by the constraint in T2 is a superset 
of the language accepted by the constraint in Ti. 
Lemma 1: For the general pre-conditional assertions, 

{Py^u irri) <u{P^u I<^n) implies C L{4>2) 

This further induces an ordering on the set of policies, such 
that given two policies Hi and 112, Hi <„ 112 if for all u G 
U, and Ti G IIi, there exists T2 G 112 such that Ti T'2. 
Proposition 1: For every pre-conditional assertion Ti = 
{P -/^ u {(f)^'''^}) with (f) G $~, there exists a constraint 
■>jj G such that the assertion T2 ^ {P -/^ u l^p^"''']) 
satisfies Ti <„ r2 and T2 <„ Ti. 

Proof: Trivial, since every pre-conditional constraint in 
$^ expresses a regular expression. ■ 
Note this implies that the distinction between downgrading 
and upgrading assertions in no longer exists in $. Since 
the regular language is closed under complementation^ if 
P G $ expresses a downgrading channel [(/'l^^^, there always 

^The author is not sure if it makes sense to liave a more general policy 
language which might not have such good closure properties, e.g., CFL. 



exists another expression P G $ expressing [0]^!'^, such 
that P n P" = and P U P" = A*. 

The other direction of Prop.[T]does not hold. Following the 
claim we made at the beginning of the section, the assertion 
(P 7A u liiA\Q)*{Q{A\Q)*QiA\Q)*)*)P'^^l) allows the 
actions in Q to act as a switch. Even occurrences of actions 
in Q disallows P to interfere with u, while an odd number 
of actions in Q allows P. This is an assertion that expresses 
a policy mixed with upgrading and downgrading, which is 
not expressible by <I>^. 

D. Avoiding Inconsistencies 

Assertion conflict happens when two assertions associated 
with the same user and controlling the same partition dis- 
agree on whether an action needs to be purged. To resolve 
this problem, we may take a more secure choice (as stated in 
Def. [U by insisting that an action needs to be purged from a 
sequence if there exists an assertion that returns true. Never- 
theless this may cause a policy to be potentially stronger than 
what is expected by a (careless) poUcy specifier. Formally, 
two assertions Ti = (P u and T2 ^ {P -/^ u |02l) 
are in conflict in a policy, if there exists a, a' G A* and 
a E P, such that (f>i{a,a,a') ^ (/)2(q!, a, a'). Say a policy 
is simple, if for every P G Part and u £ U, there is at 
most one assertion that controls P and is associated with u. 
In this paper we only discuss simple policies. 

Nevertheless, two conditional assertions may conflict each 
other according to our intuition of permitted information 
flow even in a simple policy. For example, let a post- 
conditional assertion Ti = {P^ u |[0P2]?J''*1) be an 
assertion that allows Pi to interfere with u only via a channel 
provided by P2. This assertion is intuitively conflicting the 
assertion r2 = {P2 "h '^') which disallows P2 to interfere 
with u in all circumstances. Since P2 is allowed to control 
information from P\ to u in T\, the information passed 
from Pi to u carries a 'permission' from P2, which seems 
undesirable. We propose the following conditions to monitor 
this type of inconsistencies from a policy. 
Definition 2: Given a signature {A, U, dom) and a partition 
Part, 

- a policy 11 is left-consistent if for all u G J7 and 

for all a, a' G A*, purgeYi{purgeYi{a,u) ■ a',u) = 
purgeYi{a ■ o! , u), 

- a policy 11 is right-consistent if for all u G U and 
for all a, a' G A*, purgeYi{a ■ purgejjia' ,u),u) = 
purgeYi{a ■ a' ,u). 

Intuitively, suppose the effect of action a depends on the 
existence of action b, then the conditions that determine the 
effect of b should be consistent with the conditions that 
determine the effect of a. A policy being left-consistent 
(right-consistent) requires that the existence of every action 
in a purged sequence is consistent with the existence of every 
other action appearing to the left (right) of that action in the 



sequence. Obviously, a simple policy consisting of only strict 
assertions is both left-consistent and right-consistent. 

E. Encoding Intransitive Noninterference 

Intransitive noninterference 1211 . Il32ll defines an 
information flow policy as a (reflexive) binary relation 
over the set of security domains U, where u ^ v indicates 
that u is allowed to interfere with v, and ^ is not necessarily 
transitive on U . The ipurge function of type A* xU ^ A* 
can be defined as foUowsQ Given u ^ U and a ^ A* in 
the form of 0102 . . . a„, ipurge{a, u) = a'ia'2 ■ ■ ■ a^, such 
that for every i G {1, . . . , n}, 

, J if ai+iai+2 ■ ■ ■ dn contains an interference chain, 

* [ e otherwise, 
where an interference chain is a subsequence &162 • • • b„i 
that is contained in 0^+10^+2 •■• a„, satisfying that 
dom{ai) dom(bi), dom{bj) ~-+ dom{bj-^-i) for all 
1 < j < m — 1, and dom{bm) ^ u. A system is 
secure with respect to intransitive noninterference (of 
policy if for all w e U and a G we have 

obsu{s,a) — obsu{s, ipurge(a,u)). 

We show that the conditional noninterference policies sub- 
sume the intransitive noninterference policies by using only 
post-conditional assertions. Given a signature {A, U, dam) 
and an intransitive noninterference policy U x U, we 
construct a policy n(^) as follows. First we let Part = 
{Au \ u € U}. For every pair of users u,v G U, we 
construct the set Interf(u,u) — {viV2--.Vn £ U* \ 
u vi V2 ■ ■ ■ Vn v}. In this set we 
enumerate all possible interference chains from user u to 
user V. (This set could be infinite.) Define a condense 
operator Cond : 2^* 2-^' by Cond{TSet) = {a e 
TSet I Ma' e TSet : a contains a' =^ a = a'}. This 
operator is to remove all redundant and cyclic chains in a 
set Inter f(u,w), so that the remaining condensed set is 
minimal. For example if u ~-+ u, then neither the chain 
u w V nor the chain u w u v will 
provide any additional information on purging actions in 
Au with respect to user v. Moreover, such a condensed set 
will always be finite provided that U is finite. We define 
n(~^) as a set consisting of the following assertions. For all 
distinct u,v E U, 

1) if Interf(u,i;) = 0, then {Au 7^ v) is an assertion 
in n(~^), 

2) if Interf(w,u) ^ and Con(i(lnterf (m, z;)) ^ 
{e}, then {Au ^ v |[Ai U A2 U • • ■ U A„]?J«*]) is 
an assertion in n(~~+), where {Ai, A2, . . . , A„} = 

Cond{lnterf{u, v)). 

The correctness of the above construction of n(-^) is by 
the following result, with its proof sketch in the appendix. 

'The ipurge function in the original paper of Haigh and Young f211 is 
defined in a different way, but semantically equivalent to the definition here. 



Proposition 2: Given an intransitive noninterference pol- 
icy for all u e U and a G A*, ipurge{a,u) = 
PurgeYi(^^){a,u). 

Next we show that intransitive noninterference policies 
are always right-consistent0 The proof of right-consistency 
requires the following lemmas, which basically show that 
the ipurge functions are idempotent and they preserve all 
the interference chains in the results. 

Lemma 2: For all a £ A* and u,v E U, the sequence a 
contains an interference chain from u to w iff ipurge{a,v) 
contains an interference chain from u to v. 

Lemma 3: ipurge {ipurge {a, u),u) = ipurge{a,u) for all 
a e A* and u eU. 

Proposition 3: Every intransitive noninterference policy is 
right-consistent. 

Proof: Given a policy u E U and a, a' E A* , we 
show ipurge{a' ■ a,u) = ipurge{a' ■ ipurge {a, u),u). We 
prove by induction on length of a'. Base case: ipurge{e ■ 
ipurge{a, u), u) — ipurge{e ■ a, u) is by Lem. [3] 

Suppose ipurge{'-f-ipurge{a,u),u) = ipurge{'j-a,u) for 
some 7 G we show the case for a ■ 7. 

• If ipurge{a • 7 ■ a, u) = a ■ ipurge{'-f ■ a, u), then there 
exists an interference chain in 7 • a from dom{a) to u. 
W.l.o.g, we write aia2 ■ ■ ■ atai+i . . .an to be the chain 
where 0102... a.i is contained in 7, and aj+i...a„ 
is contained in a. Then Oj+i . . . a„ is an interference 
chain from dom{ai) to u by definition. Then there 
is also an interference chain 77 from dom{ai) to u 
in ipurge{a,u) by Lem. |2l so 0102... a„ • 77 is an 
interference chain from dom{a) to u in ^■ipurge{a, u). 
Therefore ipurge{a-^-ipurge{a,u),u) = a-ipurge{'j- 
ipurge {a, u),u). Then we have ipurge{a ■ j ■ a,u) = 
ipurge{a ■ 7 • ipurge{a, u), u) by pre -pending action a 
on both sides of the induction hypothesis. 

• If ipurge{a-j-a,u) — ipurge{"f ■ a,u), then there does 
not exist an interference chain in 7 • a from dom{a) to 
u. Therefore there does not exist an interference chain 
in 7 • ipurge{a,u) which is a shorter sequence. Then 
we have ipurge{a ■ 7 • ipurge{a,u),u) — ipurge{'y ■ 
ipurge{a, u), u). Then we have the result by induction 
hypothesis. 

■ 

Since the effect of ipurge on the policy is the same 
as that of purgei^^^y every policy n(~^) encoding an 
intransitive noninterference policy is right-consistent. 
Together with the unwinding characterization for policies 
of post-conditional assertions in Sect. IIVI this result makes 
it possible to reason about security with respect to intran- 
sitive noninterference by unwinding theorems that are both 

^Note that intransitive noninterference policies are not necessarily left- 
consistent, since a prefix of a sequence does not necessarily contain an 
interference chain even if the whole sequence does. However, intuitively, 
left-consistency is not important for intransitive policies which only place 
controls after an action is peii'ormed. 



sufficient and necessary. This allows us to verify security 
properties that are related to intransitive information flow in 
a variety of areas (such as operating system and security 
protocol verification) in a more precise way. 

Moreover, our policy language on post-conditional as- 
sertions is strictly more expressive than the policies of 
intransitive noninterference, even in the case of Part = 
{Au I u G U}. An example could be a four-user system 
with U ~ {H, Di, D2, L}, on which we have a policy with a 
single assertion {Ah 7^ L |[O^Di O^Da]'^^''*!)' but neither 
Adi nor Ad2 is restricted from interfering with L. This 
policy asserts that an action from H must be approved by 
both Di and D2 in the particular order before being passed 
on to L, and Di is allowed to pass information to L in a 
way independent to the actions from D2- This policy is not 
expressible by intransitive noninterference. Moreover it is 
not hard to show that such policy is still right-consistent. 

IV. Unwinding Relations 

Unwinding provides a verification technique on noninter- 
ference-related security requirements. An unwinding theo- 
rem reduces the verification of an information flow security 
problem into the existence of a set of relations satisfying 
certain properties, which is thus easier to be formalized 
and verified by existing tools such as proof assistants and 
model checkers]^ In this section we present general forms of 
unwinding theorems for the two classes of conditional non- 
interference assertions introduced in the previous sections. 

The use of unwinding relations on the proof of noninter- 
ference has been discussed in the literature ifTSll . Il32l which 
is based on the assumption that the relation -^C U x U 
is transitive. First we show that this result is still valid 
for the class of policies that consist of strict assertions. 
(Note here the relation as determined by the set of 
assertions is not necessarily transitive.) Given a machine 
M = {S,So, step, obs,0) and a policy 11 consisting of 
only strict assertions, a set of unwinding relations {^u}ueu 
are defined as follows. For each user u ^ U, ^jjC S x S 
is an equivalence relation satisfying the conditions output 
consistency (OC), step consistency (SC), and local respect 
(LR). 

OC s t implies o6s„(s) — obsu{t). 

SC s and a € A imphes step{s, a) ~„ step{t, a). 

LR s step{s, a) if {part {a) tt) G 11. 

The existence of a set of relations {^u}u£U that satisfy the 
above three properties is both sufficient and necessary for a 
system to be secure. The proof method is exactly the same 

' Although noninterference are trace-based properties and unwinding are 
bisimulation-based techniques, the unwinding characterizations in this paper 
are tight partially because for deterministic systems trace semantics and 
bisimulation semantics coincide |4r|. Extending unwinding as a complete 
characterization for trace-based information flow properties in nondeter- 
ministic systems will be challenging, and we leave it as a future work. 



as what was presented in ||32l . Define a relation -^C S x S 
for each w 6 [/ by s i if o6s„(s) = obsu{t). 
Theorem 1: Given a policy 11, a system M is secure with 
respect to 11 iff there exist unwinding relations {^u}u£U- 

Proof: The 'if direction can be proved by induction 
on the length of the input actions in the same style of |32|. 
For the 'only if direction, if the M is secure, we can show 
that the relations « defined hy s^it if s»a'^t»a for all 
ae A* satisfies OC, SC and LR. ■ 

A. Unwinding for P re-conditional Assertions 

We present an unwinding technique which is sound for 
policies consisting of pre-conditional assertions defined by 
the policy language $. This technique is complete for 
policies that are left-consistent. Since the policy language 
produces a regular set of sequences, for each assertion T 
of the form {P -/^ u we write for the 

finite automaton accepting L{(f>), and regard A{(j))^''^ as the 
assertion automaton of T. 

We define an additional rule for the unwinding relations 
on pre-conditional assertions. Given a machine M in the 
form of {S, So, step, obs, O) and a policy 11, a set of unwind- 
ing relations {^u]ueu are equivalence relations satisfying 
OC, SC, LR, and the new condition LR- which is specified 
as follows. 

LR^ s step{s, a) if {part{a) 7A u [^^'''i) £ H and there 
exists a G such that s ~ sq • a. 
As LR ensures a partition to follow a strict assertion, the 
condition LR- ensures the satisfaction of pre-conditional 
assertions in general. Intuitively, if a state is reachable 
by an action sequence within the language defined by an 
assertion, an action that is controlled by that assertion must 
be purged. We show that this characterization is sufficient 
for a system to be secure with respect to a policy consisting 
of only pre-conditional assertions. (As a strict assertion can 
also be treated as a pre-conditional assertion by the regular 
expression A*.) 

Theorem 2: Given a system M and a policy 11 consisting 
of only pre-conditional assertions, M is secure if there exists 
a set of equivalence relations {^u}ueu satisfying OC, SC, 
LR and LR^. 

If a given policy is left-consistent, then this characteriza- 
tion is also complete. 

Theorem 3: Given a system M and a policy 11 consisting 
of only pre-conditional assertions, if M is secure and 11 is 
left-consistent, then there exist a set of equivalence relations 
{^ujueu satisfying OC, SC, LR and LR-. 

The regularity of the assertion language $ allows to apply 
assertion automata for pre-conditional assertions to mark the 
states where LR- needs to be applied to purge an action. 
This could be done by a parallel composition of the machine 
M with the for every {P u 10^"!) £ H, which 

could be automated in a model checker Since assertion 
automata usually do not contain a lot of states, a local model 



checking algorithm is able to detect violations of security 
on-the-fly when a system is very large (even possibly 
of infinite states). We have the following reduction from 
noninterference security properties with policies consisting 
of pre-conditional assertions to safety properties. 

For an assertion T = {P u G H, we 

assume that an assertion automaton A{(p)'^ = (i^t, S(t.o)i 
—>-,JFt) is deterministic, and accepts the language £(0). 
We assume 11 is denumerable as {Ti,T2,...}. Given a 
machine AI = {S, sq, step, obs,0), for each u ^ U, 
we define a machine ~ {S'^'- , Sq , step" , obs" , dom) 

to be the system with identical actions and domains, 
with states 5" — S x S x Sti x x . . . , initial 
state s^ (so,so,S(Ti,o),S(T2,o),---)' and the observa- 
tion function obs" : 5" — > {O x O) is defined as 
o6s"(si, S2,ti,t2, • • ■ ) = (obsuisi), obsu{s2)) for si, S2 e 

5, and transition function step" : S" x A S" is given by 
step"{{si,S2,ti,t2, . ■ .),a) = {s[, step{s2,a),t[,t2, . ■ .) 
with a ^ A and ti — > t'^ for all i, and 

( si if there is Ti = {part{a) 7A u 
s'l = < and ti £ Tt, , 

[ siep(si, a) otherwise. 
Intuitively, in every transition, an action a is not allowed 
to apply on the left part of a state pair, if the assertion 
automaton controlling part (a) and associated with u is in 
its final state. A proof by induction shows that for every 
sequence of actions a G A*, if Sq • a ~ {s, t, . . .) in M^, 
then in M we have s = sq • purgeii{a, u) and t ~ sq • a. 
We therefore obtain the following. 

Proposition 4: A machine M is secure with respect to a 
left-consistent policy 11 iff for all u G J7 and for all states 
s in AI^ reachable from Sg, we have that 06s" (s) = (0,0') 
implies = 0'. 

B. Unwinding for Post-conditional Assertions 

In this section we study the unwinding relations for 
policies consisting of post-conditional assertions defined by 
(E"^ as given in Fig.|2] The design of unwinding for this class 
of policies is rather involved. Our solution allows possibly 
more than one equivalence relations for each user. The 
underlying intuition is as follows. If an action a is allowed to 
interfere with user u only if it is followed by another action 

6, then for each state s, we need to have s and step{s, a) 
indistinguishable by u after any sequence of actions that 
does not contain b. Based on that, we define a binary relation 

U„C S X S and let s step{s, a) to represent the effect 
that state s and state step{s,a) are not distinguishable by 

u as long as b is not performed, (i.e., s t implies 

step{s, c) step{t, c) if c 7^ b) Intuitively, such a relation 
must be an equivalence relation. For readability we move 
some of the proofs in this section into appendix and only 
provide explanations about the proofs instead. 

Let n be a policy of post-conditional assertions. For a 
user u & U, write the set of assertions associated with m as a 



subpolicy n„ C n. Let Q = 7'(Part)U{0C | C C Part}. 
Define the set of terms which are suffixes of the given 
constraints in n„ as A" = {A G Q* | 3A' G Q*,{P -/^ 
u U C2 U • • • U CnYTfl G n„ : A' • A = a A 
i G [l...n]}. Intuitively, this is the suffix closure of the 
set of post-conditional channels that allow to downgrade 
information from some partition to u. The set of unwinding 
relations for a user u G [/ is 5 C Aj;'}, which are the 
equivalence relations satisfying the following rules. 

OC s^ut impHes s " t for all 5 C A" with ^ n {e} = 0. 

SC+ If s t and a £ A, then step{s, a) '„ step{s, a). 

LR {part{a) 7A u) g IT implies s ^„ step{s, a). 

LR^ {part{a) u |[Ai U A2 U . . . XnV-^ j) G H implies 

{Ai,A2,...A„} 

s ^ u step(s, a). 
SUB For all 61,62 G ViA^), 61 C 62 implies -cfe. 
The function so : V{A^) x ^ ^ ^(A") is defined as 
sc{6) = UagS cut{\, a), where the cut function is defined 
as follows. Given P G P(Part) and A G Q*, 

• cut{e, a) = {e} for all a G A 

. cut{P • A, a) = {A} if a G P, 

. cut{P • A, a) = if a ^ P, 

. cutloP • A, a) = {A} if a G P, 

. cMt(OP • A, a) = {OP • A} if a ^ P. 
The condition OC asserts that all such relations containing 
unfinished downgrading channels to u (with e E 6) must be 
contained in ^, i.e., they shall not currently be distinguished 
by u. The definition of the SC+ rule follows the mechanism 
of pattern matching which simulates the process of purging. 

For example, if s ^'^^^^ u t, then after an action a G P is 
performed, step{s,a) and step{t,a) needs to be related by 

the relation ^ indicating that an action in P has been 
performed and that the rest of the downgrading channel is 
A. The states can be related by two downgrading channels, 

e.g. s ^^'^ ^ u t, indicating the two possibilities to effect 
the view (or to relax the indistinguishability relation) of 
u. When two states are related by a set with a completed 
channel, e.g., s t with e G (5, then s and t need not 
be indistinguishable to u any more. Plainly '^u— S x S if 
€ £ 6, where S is the state space of a machine. Informally, 
condition SUB indicates that the more channels a relation 
carries, the weaker policies that relation represents. As ^„ 
is the smallest such relation for user u E U, ii represents 
strict noninterference, so that u can never distinguish two 
states that are related by his own future behaviours. For a 
suffix constraint A in the form of CA' or ()CX' , write /(A) 
for C which is the first set of actions to check in A. We have 
the following property for function sc. 
Lemma 4: For all A G sc{6, a), we have at least one of the 
following conditions hold. 

1) A = e and A G (5, 

2) A G (5 with a ^ /(A), 



3) CXeS with aeC, 

4) OCA e S with aeC. 

Lemma 5: For all 61,62 G P{A^) and u ^ U, s t and 
i ~u J' implies s ~ u 

Proof: By the rule SUB we have ^c'^^-^'^^ and 

S2^SlUS2 n S1US2 , , , (5lUl52 r,,, 

~C ~ , thererore s ^ u t and t ~ „ r. Then 
s ^„ r by transitivity of the relation ■ 
Similar to the pre-conditional constraints, every post- 
conditional constraint can be regarded as a pattern in regular 
expression, such that an action must not be purged if it 
is followed by a sequence of actions within the pattern 
characterized by the constraint. Define an interpretation 
operator [.] : $- ^ (TiA))*, by [e] = A*, [CX] = C[A], 
and [OCA] = (^\C)*C[A] for C C A, where A e (ViA))*. 

Lemma 6: Given a system M, a user u <E U, and a policy 
n with only post-conditional assertions, if there exists a set 
of relations {'^ujscA'^.ueu satisfying OC, LR, LR-, SC+ 
and SUB, then for all s,t £ S md a e A* \ [JxesiM 
with s t and S C Aj/ satisfying S fl {e} = 0, we have 
s • a ^ t • purgejjia, u). 

The proof of this lemma is by induction on the length of 
an action sequence on states that are related by all possible 
sets of incomplete channels. From Lem. |6] one can obtain 
the soundness result. 

Theorem 4: Given a system M, a user u E U, and a policy 
n with only post-conditional assertions, if there exists a set 

of relations {^u}scA^,ueu satisfying OC, LR, LR-, SC 
and SUB, then M is secure with respect to 11. 

Proof: We need to show for all u e U and a e A*, we 
have sq • a i-^ So • purgeYi{a, u). Since is reflexive we 
have So ~m sq, then the result directly follows by Lem. |6] 
NoteUAe0[A]=0. ■ 
To establish a completeness result, we study the set of 
relations {^u}seA^ specified as follows. Define w^C SxS, 
such that s t if for all a G A* satisfying a ^ [A] 

for all A G S, s • a t • a. We regard {«n}5eAn as 
the relations that characterize information flow security for 
post-conditional assertions, with some nice properties that 
are guaranteed by Lem. |7] 

Lemma 7: For each user u E U in system M, the set of 
relations {~u\s£A^ satisfies OC, SC+ and SUB. 

Finally we are able to prove that the existence of such 
unwinding relations is also necessary for a system to be 
secure, provided that the given policy consisting of post- 
conditional assertions is right-consistent. The methodology 

on proving Thm. |5] is that OC, SC+ and SUB conditions 

s 

determine a set of the largest bisimulation-like relations 
lacAn on the state space for each u, then LR and LR- 
conditions assert that noninterfering actions do not make 



transitions that go beyond each equivalent class. We leave 
the detailed proof in the appendix. 

Theorem 5: Given a system M with a right-consistent 
policy n consisting of post-conditional assertions, if AI is 
secure with respect to H, then there exists a set of relations 
{~«}5CAn satisfying OC, LR, LR^^, SC+ and SUB for afl 

ueU. 

C. A Case Study on Unwinding 

We take the policy as introduced in example |2] and show 
how to construct unwinding relations in this simple system 
to ensure integrity of data-base operations. Suppose there are 
a finite number of employees E = £'2 . . . Em} working 
with a database B with finite entries X — {xi,X2, . . 
each of which stores a natural number. The action set 
available to E, is U^^^ U{af J, where A^^^ = {r{i, x) \ 
X G X} and A^. = {w{i,x,v) \ x G X}. The state space 
is 5* = {{succ, deny , ready , ±} U N)"^ x , so that a 
state s = (oi, 02, . . . Om, c?i, c?2, • ■ • dn) is a snapshot of all 
employee's observations as well as the contents in database 
B. In this case we write s{i) for Ei's observation and s{xj) 
for the j-th entry of B in s. The observation function for B 
(as a user) is thus o5sb(s) = {s{xi), s{x2), ■ ■ ■ s{xn)), and 
obsEiis) = s{i). Write s[t H> v] for a state identical to s 
except that s[i v]{t) — v. The initial state sq is defined 
as so{i) = _L for all i G 1 . . . m, and SQ{xj) = for all 
Xj € X. The transition function is defined as follows. For 
all z G 1 . . . m and x^ G X, 

. step{s,r{i,Xk)) = s[s{i) t-^ s{xk)][yj ^ i : s(j) i-^- 

• step{s,w{i,Xk,v)) = s[s{i) H' c?eny][Vj 7^ i : s{j) M- 
_L] if s[i\ 7^ ready, and step{s, w{i, Xk, v)) — s[s{i) n- 
succ][s{xk) — v]\\/i : s{i) H- ±] otherwise, 

• step{s, a^.) — s[s{i) ready] [Vj ^ i : s{j) ±]. 
where [Vj ^ i : s{i) _L] is short for [s(l) M- _L] . . . [s{i — 
1) -L][s(i + 1) _L] . . . [s(m) i-^. ±], which sets afl 
users except i's observation to ±. Informally, a^. acquires 
a unique write-permission for Ei by setting z's observation 
to ready and simultaneously removing all other employees' 
ability to write. 

Recalling the security policy of example |2] we have 
the following three rules to ensure integrity of B. For all 
Ei, (1) reading actions do not modify B: {A^^. B), 

(2) writing actions take effect only by immediately fol- 
lowing a book-keeping action: {A^. B Oo^Jx^'^]), and 

(3) book-keeping does not have side effects: ({a^ } 

B wAi^n^'i). 

We treat (1) and (2) as pre-conditional assertions, by 
defining an equivalence relation as follows Let s ~b t 

if o6sb(s) — ohs'a{t) and for all 1 < z < m, either 
s{i) — t[i) — ready, or s{i) 7^ ready and t[i) ^ ready. 

'"since the policy is not designed to protect the employees, we only 
study the unwinding relations for B. 



We show that '--^b is an unwinding relation for assertions (1) 
and (2). 

« OC is trivial. 

• For SC, if s t, then for all 1 < i < m, 

(1) step{s,r{i,x)) step{t,r{i,x)), because r{i,x) 
only sets Ei's observation to s{x) which is the same 
as t{x) by definition, and (2) step{s,w{i, x,v)) 
step{t,w{i, x,v)), since the writing action either 
changes both item x to v, or fails to change both, 
and (3) step{s,a^J^.) step{t^a^j^,), since the book- 
keeping action only sets both states as ready for Ei to 
write, and resets all other observations to _L. 

• For LR, it is obvious that s step{s,r{i, x)) for all 
i and x. 

• For LR-, the language i([a^.]?^'^) is expressed as 
A* {A \ {af.}). Then we have that for all a £ 
A*{A \ {a^.}) and action a in the form of w{i,x,v), 
step{so • a, a) sq • a (Since no one is ready in 
sq • a and no one is ready in step{so • a, a)). 

Assertion (3) is post-conditional, for which we establish the 
following relations. 

- ^ = 5 X 5 for all i. 

{Ae-} 

- s B t if o6sb(s) — obsait), and for all j ^ i, 
either s{j) = t{j) ~ ready, or s(j) ^ ready and 
t{j) 7^ ready, (i.e., only Ei's observation is relaxed 
from the constraints imposed on ~b-) 

- '^B is defined as ~b- 

We show this set of relations are unwinding relations for 
assertion (3). 

. OC and SUB ai-e ti-ivial. 

• For SC+, the case for ~b with e E S is trivial, since 
in this case ~b= S x S. Let s m t, then for all 
a G A\A]!;., we need to show step{s, a) ~b step{t, a). 
This is straightforward because the only possibility to 
prevent s to be related to t by '^b is that they disagree 
on Ei's observation, and every action a £ AXA^^. will 
set Ei's observation to the same value in step{s, a) and 
step{t, a) without modifying B's contents. 

« For LR-, for all s G S, only Ei's view is changed to 

i^E } 

ready in step{s,a^j^.), thus s ~' b step{s , a''j^.) by 
definition. 

By establishing the unwinding relations, Thm. |2] and 
Thm.lHguarantee that the system is secure with respect to the 
given policy. Moreover, one can still prove that the existence 
of such unwinding relations is complete for this particular 
policy in this example, by applying the techniques used in 
the proofs of Thm. |3] and Thm. |5] As the policy discussed 
in this example is neither left-consistent nor right-consistent 
(which can be shown from the purge function derived from 



the policyQ this serves as an example showing that left- 
and right-consistencies are not always necessary for a policy 
to be completely characterizable by the unwinding relations 
defined in this paper. 

V. Related Work 

Conditional noninterference was first proposed by Goguen 
and Meseguer fl7|. Our work extends their definition to a 
more general form, such that the control of information flow 
can be placed either before or after the actions with intended 
flow. The notion of intransitive noninterference was first 
proposed by Haigh and Young |21J, and later revised by 
Rushby ll32l . Our policy defined by post-conditional asser- 
tions are strictly more expressive than that of intransitive 
noninterference, which has been sketched in Sect. IIII-EI 
Nevertheless, the unwinding theorems presented for this 
more general policy is both sound and complete in a very 
general sense (we believe that action-based channel control 
policies are usually supposed to be consistent), while the 
weak unwinding relation (32] fails to be complete for 
intransitive noninterference in the literature. The unwinding 
technique of Mantel ||231 is sound for a spectrum of trace- 
based properties (22], but it is also not complete. A few other 
works extend Rushby's weak unwinding in nondeterministic 
language-based settings 1251 . ll24l . The result in this paper 
is based on systems with deterministic transition functions, 
but it will be straightforward to extend the definitions of 
our policies for both pre-conditional assertions and post- 
conditional assertions in nondeterministic systems, possibly 
by revising the unwinding rule SC (or SC+) in the way of 
bisimulation |27 

Bossi et al. extended the unwinding-based characterization 
for the security properties in SPA lfT4l . ||T6| to support 
downgrading [6 |. They described a policy for three security 
levels including H (High level user), D (Downgrader) 
and L (low level user) by applying unwinding to disallow 
information flow from H to L without putting any constraint 
on D. Their approach is basically Goguen and Meseguer's 
strict noninterference policies |17| (as we sketched in ex- 
ample [Til in a nondeterministic environment with silent 
system moves. With respect to persistency 1 16l, our policies 
by post-conditional assertions are inherently persistent, i.e., 
if a system is secure with respect to such policies then 
it is secure if every reachable state is a possible initial 
state. However, our policies by pre-conditional assertions 
are not necessarily persistent by definition^ Roscoe and 
Goldsmith 13U generalized the determinism based notion 

"Nevertheless, it is obvious that the pre-conditional part of the policy is 
left-consistent, and the post-conditional part of the policy is right-consistent, 
which helps to establish a proof for completeness. 

'-However, achieving completeness might be very nontrivial for unwind- 
ing in nondeterministic systems for trace-based properties. 

'^^In this case, we claim that it is sufficient to verify the persistent version 
of a pre-conditional asseilion ip by examining a policy automaton accepting 
the language = {a ■ a' \ a G A* A a' G i(</>)}- 



of noninterference |[30| to intransitive noninterference with 
three security levels in process algebra CSP. Their property 
is potentially stronger than most of the existing intransitive 
noninterference properties in literature ll36l . 

Van der Meyden developed a new set of intransitive 
noninterference properties to reason about information flow 
epistemically ||38l . As it was identified that Haigh and 
Young's intransitive flow property (2T\ may allow a down- 
grader to pass information from high level to low level 
without knowing what is to be downgraded, a number of 
new intransitive noninterference properties are introduced 
to catch the idea that a downgrader's knowledge about the 
secret information should be no less than what the low 
level user is able to get. The new properties defined by 
van der Meyden are stronger than intransitive noninterfer- 
ence ll2T1l . II32I and weaker than (strict) noninterference iflTl . 
Our framework lies in a different dimension, in that we 
extend the framework of ifTTl . ||32 | to support more flexible 
policies without much concern on a user's knowledge. 

The methodologies for declassification of secret informa- 
tion have been surveyed by Sabelfeld and Sands |34|, in 
which all related works are classified into four different 
dimensions: (1) who releases information, (2) what infor- 
mation is released (3) where in the system information is 
released and (4) when information can be released. Although 
most of the surveyed works are in the language-based 
setting, the classification seems to make sense in the state- 
based models as well. Our policy design supports the who 
dimension, by assigning a partition of a particular user in 
a policy to control information flow to a user, and also 
the where and when dimensions, by controlling information 
release only after a downgrading channel is fully established 
(such as allowed by post-conditional assertions). In terms 
of flexibility, as this framework does not assume a central- 
ized security policy, it is possible to express integrity for 
decentralized flow control [28 J, by assigning users privileged 
actions to switch on and off writing permits to the files they 
own. However as our policy is action-based, it might not be 
convenient to express decentralized confidentiality policies. 
More recently, Chong and Myers ID define declassification 
and erasure policies that specify conditions under which 
information may be downgraded, or must be erased. Instead 
of binding policies on information, our pre-conditional poli- 
cies focus on the control over the source and destination of 
information flow, by adding and removing permits from an 
action partition of a user via controlling actions. 

Hadj-Alouane et al. studied verification of intransitive 
noninterference property in finite state systems 120|. In 
order to verify the property, they reduce a system into an 
automaton accepting the reversed language, which poten- 
tially consumes space exponential to the size of the system. 
Pinsky also proposed an algorithm to verify noninterference 
properties |29|. However that algorithm only works for 
transitive policies, but fails when the underlying information 



flow relation is intransitive. A new algorithm for intransitive 
noninterference is proposed by van der Meyden f37l which 
has a complexity bound polynomial to the size of a machine 
but exponential to the number of users. Verification on 
our unwinding relations for post-conditional assertions can 
be done in-place, therefore it is also polynomial time to 
the size of a system, but it could be exponential to the 
size of a policy (as shown in the subset construction on 
the set of post-conditional assertions when constructing 
unwinding relations). Nevertheless, our policies are strictly 
more general than intransitive noninterference policies, as 
shown in Sect. IIII-EI It will also be interesting to investigate 
algorithmic verification methods on generating unwinding 
relations in more general systems (i.e., systems that are 
not necessarily finite state), as it has been shown that 
verification of Mantel's BSPs ll22l in push-down systems 
is undecidable {VS\. The methodologies on reducing infor- 
mation flow properties to safety by self-composition have 
been discussed in the literature 10, |I35], HI], ||40l, for a 
variety of system models. 

VI. Conclusion and Future Work 

This work introduces a framework of information flow 
policies by noninterference assertions which generalizes 
existing work of both transitive and intransitive noninter- 
ference. Although noninterference is in general defined as 
a static security notion, we applied our policy language 
to express a number of dynamic security requirements 
including upgrading, downgrading and channel control. 
Our unwinding theorems on both pre-conditional and post- 
conditional assertions are novel, and they are more precise 
and more general than the existing results in the literature, 
to our knowledge. 

There is a possible future direction to extend our policy 
by allowing clock tick^, to act as upgrading or downgrading 
channels. This will make it possible to express time-based 
control in real-time systems, which might be an interesting 
future work to explore both upgrading and downgrading in 
the when dimension of fj?]. 

There are plenty of extensions of noninterference in non- 
deterministic and probabilistic systems, and this will be an 
interesting future work for conditional noninterference. Also 
we believe that it will be of interest to find real cases where 
our unwinding theorems (or any suitable extensions) can be 
applied to verify their corresponding security requirements 
in more general systems. Furthermore, it is also possible to 
enrich our policy by incorporating state information into the 
policy language in a concrete system verification. Again, this 
will be of more interest in a sensible case study in the future. 
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Appendix 

This appendix contains the proofs of some results pre- 
sented in the article. 

Proof: (of Prop. |2]i We prove by induction on the 
length of an action sequence. Base case: ipurge{e,u) = 
purgeu{-^){e,u) = e. 

Suppose ipurge{a,u) = purgeYH^-^{a,u) for some 
a G we show the case for a ■ a with a ^ A. If 
a contains an interference chain from dom{a) to u, then 
ipurge{a ■ a,u) = a ■ ipurge{a,u). Also purgejj^^-) (a • 
a,u) = a ■ purgeYi(^^-^{a,u), since the purging of the 
actions in a does not depend on a, and n(-^) contains 



a condensed interference chain from dom{a) to u by def- 
inition. If a does not contain an interference chain from 
dom{a) to u, then ipurge{a ■ a,u) — ipurge{a,u) and 
purgeYi(^^-j{a ■ a,u) — purgcjj^.^) (a, m). In both cases we 
have ipurge(a • a, w) = pw7'5en(^)(a ■ a, it). ■ 

Proof: (of Lem. |2]l The 'if direction is trivial, since 
ipurge{a,v) is contained in a. For the 'only if direction, 
suppose a' = aia2 ■ ■ - an is an interference chain from u to 
V in a, it can be shown by induction on every suffix of a' 
that all actions in a' will stay in the sequence ipurge{a, v). 

■ 

Proof: (of Lem. [3]) By induction on length of a. Base 
case is trivial. 

Suppose ipurge{ipurge{a,u),u) — ipurge{a,u), we 
show the case for a ■ a. 

• If a contains an interference chain from dom{a) 
to u, then ipurge{a,u) also contains an inter- 
ference chain from dom{a) to u by Lem. |2] 
Therefore we have ipurge{ipurge{a ■ a,u),u) = 
ipurge(a-ipurge{a^u),u) = a-ipurge{ipurge{a,u),u) 
and ipurge{a ■ a,u) ~ a ■ ipurge{a,u). Since 
ipurge{a,u) = ipurge{ipurge{a,u),u), we get 
ipurge{a ■ a,u) = ipurge{ipurge{a ■ a,u),u) by in- 
duction hypothesis. 

• If a does not contain an interference chain from 
dom{a) to u, then ipurge{a,u) also does not con- 
tain an interference chain from dom{a) to u by 
Lem. |2] Therefore ipurge{ipurge{a ■ a,u),u) = 
ipurge{ipurge{a,u),u) and ipurge{a ■ a,u) = 
ipurge{a,u). Then we have ipurge{a ■ a,u) = 
ipurge{ipurge{a ■ a,u), u) by induction hypothesis. 

■ 

Proof: (of Thm. |2]i We show that if there exist relations 
{^u}u£U satisfying OC, SC, LR and LR-, then for aU u g 
U, a G A*, So • a sq • purgeYi{a, u), then by OC we 
will have sq • a ^ sq • purgeYi{a,u). we prove this by 
induction on the length of the action sequences. For a — e, 
purgeYi{a) = a = e, we have sq sq by the fact that ~„ 
is reflexive. Suppose for some a G A* we have sq • a ^„ 
So • purgeii{a, u), we show the case for a ■ a. 

• If purgeYi{a ■ a,u) = purgeYi{a,u), we have the 
following two cases: (1) {part(a) u) G 11, (2) 
{part{a) 7A u 10^™]) G H and a G L{(f>). In 
both cases we have sq • a sq • {a ■ a) by LR 
(or LR-). With the induction hypothesis sq • a ~„ 
So • purgeii{a ■ a,u), by transitivity of we have 
So • {a ■ a) Sq • purgeji{a ■ a, u). 

• Otherwise, we have purgeYi{a- a,u) — purgeYi{a,u) ■ 
a. Then by the induction hypothesis and SC, we have 
So • (a • a) So • {purgcuia, u) ■ a), therefore so • 
{a ■ a) So • purgeYi{a • a, u). 



Proof: (of Thm. [3]) Suppose M is secure, we show that 
the relations {^u}ueu defined by s t if for all a £ A*, 
s»a^t»a satisfy OC, SC, LR and LR^. 

« For OC, let a — e, then we have s t implies s ^ t. 

• For SC, let s t and a £ A if step{s,a) 
step{t, a), then there exists a G A* such that 
step{s, a)»a 9^ step{t, a)»a, then s»{a-a) 9^ t»{a-a) 
which contradicts s t. Therefore step{s, a) ~„ 
step(t, a). 

, For LR^, let {P -/^ u [^^'^i) £ H. If there exists 
a £ P and s £ S* such that sq • a, a £ L{(t)) 
and s step{s, a), then there exists a' £ A* such 
that So • a • a' 7^ step{so • a,a) • a', which is 
equivalent to that sq • {a • a') 7^ Sq • {a ■ a ■ a'). 
However, since policy 11 is left-consistent, we have 
purgeYi{a-a' ,u) = purgenipurgeYiia, u) ■ a' , u), and 
purgeYi{a-a-a' , u) = purgeYi{purgeYi{a-a, u)-a' , u). 
Then purgeii{a ■ a',u) — purgeYi{a ■ a ■ a',u) by 
purgeYi{a, u) = purgeYi{a-a, u), i.e., a-a' and a-a-a' 
have the same purged result with respect to u. Therefore 
we have either sq • (a • a') 7^ sq* purgeYi{a - a' ,u), or 
So»(a-a-a') 9^ so»pwr(7en(a-a-Q;', u), contradicting 
the assumption that M is secure. 

« The case of LR is similar to LR- . 

■ 

Proof: (of Lem. |6]l We prove by induction on length of 
a. Base case: a = e, then purgejjie, u) = e, we have s ~„ t 
implies s t by OC for every 5 n {e} = 0. Suppose this 
holds for an action sequence a on all states s,t, 5 C Aj^ 
with (5n{e} = 0, such that s ^ut with a £ ^*\UAe5 W' "^^ 
show the case for a-a. Let s t with a-a £ ^* \ U Ae5 [^] 
and (5 n {e} = 0. 

« If purgcu^a ■ a,u) = a ■ purgejj^a, u), then we have 

, , sc{S,a) / \ 1-.. J 

step(s,a) ^ u step(t,a). First we show that e f. 
sc(<5, a). Because if e £ sc((5, a), then by Lem. H] either 
(1) e £ (5, or (2) there is C or OC in (5 such that a £ [C] 
or a £ [OC*], which implies a • a £ [C] or a • a £ [OC*]. 
Case (1) contradicts the assumption that (5 n {e} = 0, 
and case (2) contradicts the assumption that a-a £ ^* \ 
UAeijI-^]- Next we show for all A £ sc((5, a), a ^ [A]. 
Because if there were A £ sc((5, a) such that a £ [A], 
by Lem. |4] we would have the following cases: (1) if 
A £ (5 with a ^ /(A), then a • a £ [A]; (2) if CA £ (5 or 
OCA £ (5 with a eC, then a-a £ [CA] or a-a £ [OCA]. 
Both cases contradict the assumption that a - a £ A*\ 
lJ^g^[A]. Therefore for all A £ sc((5, a), a ^ [A], i.e., 
a £ A* \UA6sc((5a)[-^]- Then by induction hypothesis, 
we have step{s,a) • a ~ step{t,a) • purgeji{a^u). 
Therefore s • {a ■ a) t • purgejj{a ■ a,u). 

• If purgejiia ■ a,u) ~ purgeYi{a,u), we have the 
following two cases. 

- If {part{a) -/^ u) £ H, then by LR, we have 



s ^ step{s, a), then step{s, a) t hy Lem. |5] 
By induction hypothesis, we have step{s, a) • a ~ 
t • purgeYi{a,u), then we have s • (a - a) ^ 
t • purgeYi{a ■ a, u). 
- If (part(a) tA u |[Ai U A2 U • - - U A„]p^^*1) £ H 
and a ^ [A^] for all i £ [l...n]. By LR-, we 
have step{s,a) ^^^'^^■■■'^"\^ Then we have 
step{s,a)^^ Ai,A2....A„ ^ by Lem. |5] Since a ^ A' 
for all A' £ S, and a ^ [A^] for all i by assumption, 
we have a £ yl* \ UA'e5u{Ai,A2,...A„}[-^']- Then 
by induction hypothesis, we get step{s, a) • a 
t • {purgeYi{a,u)), therefore s • (a - a) ~ t • 
purgeYi{a ■ a, u). 



Proof: (of Lem. |7]i 

For OC, let 6 C A„ be a set that does not contain e 
and s t. Since e [A] for all A £ A" \ {e}, we 
have s • e ~ f • e. Therefore s t. 
For SUB, let s t and (5 C 5' C Aj^, we need to show 

s ^ t. Since 6 C (5', we have IJAeal'^] — UagiJ'I-^]' 
-4* \ Uaga-'W C ^* \ UxeslM- By s t, we have 
s»a ^ t •a for all a £ A* VUAeil^]' ^° s'a^^t^a 

for all a G A* \ UAea't-^l- Then we have s « i by 
definition. 

For SC+, let s w„ t and a £ ^, we study the following 
cases on the relations which may relate step{s, a) and 
step{t, a). 

{«} 

- If e £ (5, then by definition « S" x S", therefore 

step{s,a) fa u step{t,a). 

- If PA £ (5 and a £ P, then for all a £ ^* \ [A], 
step{s, a)»a step{t, a) •a, because if not, then 
we would have s • (a - a) 7^ t • (a - a) such that 

{>} 

a ■ a ^ [P\]- Therefore step{s, a) w „ step{t, a). 

- If PA £ S and a ^ P, then we have step{s, a) • 
a ~ step{t, a) • a for all a £ A*, because if not, 
then we would have s»(a-a) 7^ t»{a-a) such that 

a ■ a ^ [PX]- Therefore step{s, a) step{t, a). 

- If OPA £ S and a G P, then we have step{s, a) • 
a '-^ step{t,a) • a for all a £ ^* \ [A], which 
is similar to the case of PA £ 5. Therefore 

step{s,a) u step{t,a). 

- If OPA £ S and a ^ P, then we have step{s, a) • 
a ~ step{t, a) •a for all a £ A*\ [OPA], because 
if not, then we would have s • {a - a) 7^ t • (a - a) 

{0-PA} 

with a ■ a ^ [OPA]. Therefore step{s,a) « „ 
step{t, a). 

The above cases give us cut{X, a) for every member 
A £ (5. By SUB we take the union of all the single- 



ton and empty sets to get {step{s,a), step{t,a)) G 

[J-)^^gCut{X,a). Therefore step{s,a) ^ step{t,a) 
by definition. 

■ 

Proof: (of Thm. ID Suppose AI is secure with respect 

s 

to n, then for each u E U the relation {~u}sca^ satisfy 
OC, SC+ and SUB by Lem. [T] Then we only need to show 
they also satisfy LR and LR- in the following cases. 
• Suppose the relations do not satisfy LR for some u G 
U, then there exists a reachable state s and an assertion 



{part{a) -/^ u) E H such that step{s,a) s. There- 
fore there exists some a E A* such that step{s, a) ^ s. 
Since s is reachable we have s — so^a' for some a' S 
A*. Then we have so»{a' -a-a) 7^ so»{a' -a). However 

purgeYi{a' -a-a, u) — purgeYi{a' •purgeji{a-a, u), u), 
and purgeYi{a' • a, u) — purgeji{a' ■ purgeji{a, u), u) 



by right-consistency of 11. Since purgenia ■ a,u) = 
purgeYi{a,u) by (part (a) u) G H, we have 
purgeYi{a' ■ a ■ a,u) = purgeYi{a' ■ a,u). By the 
assumption that AI is secure, we have sq • {a' ■ a ■ a) ^ 
SQupurgcYi^a' -a-a, u) and so'ia' -a, u) ^ SQ»{a' -a). 
Then we have Sq • {a' ■ a ■ a) ^ Sq • {a' ■ a), 

which is contradiction. Therefore we have the relations 

s 

{~ii}(5CAn satisfying LR for all u E U. 
• Suppose the relations do not satisfy LR-, then there 
exists a reachable state s and an assertion {part (a) 

u [[A]^"*]) such that step{s, a) ^/^u s. So there exists 
a G ^* \ [A], such that s • {a ■ a) ^ s • a. Since s is 
reachable, there exists a' G A* such that sq • a' ^ s. 
Therefore we have sq • {a' ■ a ■ a) 7^ sq • {a' ■ a). Also 
since a G ^* \ [A], by definition purgenia ■ a,u) = 
purgeYi{a,u). Then we have purgcu^a' ■ a - a,u) = 
purge{a' ■ a, u). The rest of the proof is similar to the 
above case. 



